diff options
author | Christian Poessinger <christian@poessinger.com> | 2020-04-11 15:12:52 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2020-04-11 15:12:52 +0200 |
commit | 07080afd4015a900fb7474e1c81008f58b478565 (patch) | |
tree | 3d879f900b09f1437d8063a594a3c98dcb52008d | |
parent | f8e9d1ecea05aa40555b7eb7e337f7fb9e495bae (diff) | |
download | vyos-1x-07080afd4015a900fb7474e1c81008f58b478565.tar.gz vyos-1x-07080afd4015a900fb7474e1c81008f58b478565.zip |
vpn: l2tp: T2264: migrate IPv6 prefix node to common CLI style
Combining multiple options into a single CLI node is considered bad practice.
IPv6 prefixes consited of the prefix itself and a mask send to the client in
one node only.
The following CLI parts have been migrated from
client-ipv6-pool {
delegate-prefix fc00:0:1::/48,64
prefix 2001:db8::/64,64
}
to
client-ipv6-pool {
delegate fc00:0:1::/48 {
delegation-prefix 48
}
prefix 2001:db8::/48 {
mask 64
}
}
Thus regular validation steps from the VyOS CLI can be used when a prefix is
configured.
-rw-r--r-- | data/templates/l2tp/l2tp.config.tmpl | 8 | ||||
-rw-r--r-- | interface-definitions/vpn-l2tp.xml.in | 56 | ||||
-rwxr-xr-x | src/conf_mode/vpn_l2tp.py | 30 | ||||
-rwxr-xr-x | src/migration-scripts/l2tp/2-to-3 | 28 |
4 files changed, 102 insertions, 20 deletions
diff --git a/data/templates/l2tp/l2tp.config.tmpl b/data/templates/l2tp/l2tp.config.tmpl index 0dcff1371..ba78cadcd 100644 --- a/data/templates/l2tp/l2tp.config.tmpl +++ b/data/templates/l2tp/l2tp.config.tmpl @@ -118,11 +118,11 @@ ipv6=allow {% if client_ipv6_pool %} [ipv6-pool] -{% for prefix in client_ipv6_pool %} -{{ prefix }} +{% for p in client_ipv6_pool %} +{{ p.prefix }},{{ p.mask }} {% endfor %} -{% for prefix in client_ipv6_delegate_prefix %} -delegate={{ prefix }} +{% for p in client_ipv6_delegate_prefix %} +delegate={{ p.prefix }},{{ p.mask }} {% endfor %} {% endif %} diff --git a/interface-definitions/vpn-l2tp.xml.in b/interface-definitions/vpn-l2tp.xml.in index 84dd8187c..d4286a810 100644 --- a/interface-definitions/vpn-l2tp.xml.in +++ b/interface-definitions/vpn-l2tp.xml.in @@ -237,26 +237,58 @@ <help>Pool of client IPv6 addresses</help> </properties> <children> - <leafNode name="prefix"> + <tagNode name="prefix"> <properties> - <help>IPV6 prefix delegation</help> + <help>Pool of addresses used to assign to clients</help> <valueHelp> - <format>ipv6prefix/mask,prefix_len</format> - <description>e.g.: fc00:0:1::/48,64 - divides prefix into /64 subnets for clients</description> + <format>ipv6net</format> + <description>IPv6 address and prefix length</description> </valueHelp> - <multi /> + <constraint> + <validator name="ipv6-prefix"/> + </constraint> </properties> - </leafNode> - <leafNode name="delegate-prefix"> + <children> + <leafNode name="mask"> + <properties> + <help>Prefix length used for individual client</help> + <valueHelp> + <format><48-128></format> + <description>Client prefix length (default: 64)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 48-128"/> + </constraint> + </properties> + </leafNode> + </children> + </tagNode> + <tagNode name="delegate"> <properties> - <help>DHCPv6 prefix delegation - rfc3633</help> + <help>Subnet used to delegate prefix through DHCPv6-PD (RFC3633)</help> <valueHelp> - <format>ipv6prefix/mask,prefix_len</format> - <description>Delegate to clients through DHCPv6 prefix delegation - rfc3633</description> + <format>ipv6net</format> + <description>IPv6 address and prefix length</description> </valueHelp> - <multi /> + <constraint> + <validator name="ipv6-prefix"/> + </constraint> </properties> - </leafNode> + <children> + <leafNode name="delegation-prefix"> + <properties> + <help>Prefix length delegated to client</help> + <valueHelp> + <format><32-64></format> + <description>Delegated prefix length</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 32-64"/> + </constraint> + </properties> + </leafNode> + </children> + </tagNode> </children> </node> <leafNode name="description"> diff --git a/src/conf_mode/vpn_l2tp.py b/src/conf_mode/vpn_l2tp.py index 08654e2ff..7cfb4e74e 100755 --- a/src/conf_mode/vpn_l2tp.py +++ b/src/conf_mode/vpn_l2tp.py @@ -232,12 +232,30 @@ def get_config(): l2tp['client_ip_subnets'] = conf.return_values(['client-ip-pool', 'subnet']) if conf.exists(['client-ipv6-pool', 'prefix']): - l2tp['client_ipv6_pool'] = conf.return_values(['client-ipv6-pool', 'prefix']) l2tp['ip6_column'].append('ip6') + for prefix in conf.list_nodes(['client-ipv6-pool', 'prefix']): + tmp = { + 'prefix': prefix, + 'mask': '64' + } + + if conf.exists(['client-ipv6-pool', 'prefix', prefix, 'mask']): + tmp['mask'] = conf.return_value(['client-ipv6-pool', 'prefix', prefix, 'mask']) - if conf.exists(['client-ipv6-pool', 'delegate-prefix']): - l2tp['client_ipv6_delegate_prefix'] = conf.return_values(['client-ipv6-pool', 'delegate-prefix']) - l2tp['ip6_column'].append('ip6-dp') + l2tp['client_ipv6_pool'].append(tmp) + + if conf.exists(['client-ipv6-pool', 'delegate']): + l2tp['ip6_column'].append('ip6-db') + for prefix in conf.list_nodes(['client-ipv6-pool', 'delegate']): + tmp = { + 'prefix': prefix, + 'mask': '' + } + + if conf.exists(['client-ipv6-pool', 'delegate', prefix, 'mask']): + tmp['mask'] = conf.return_value(['client-ipv6-pool', 'delegate', prefix, 'delegation-prefix']) + + l2tp['client_ipv6_delegate_prefix'].append(tmp) if conf.exists(['mtu']): l2tp['mtu'] = conf.return_value(['mtu']) @@ -306,6 +324,10 @@ def verify(l2tp): if l2tp['client_ipv6_delegate_prefix'] and not l2tp['client_ipv6_pool']: raise ConfigError('IPv6 prefix delegation requires client-ipv6-pool prefix') + for prefix in l2tp['client_ipv6_delegate_prefix']: + if not prefix['mask']: + raise ConfigError('Delegation-prefix required for individual delegated networks') + if len(l2tp['wins']) > 2: raise ConfigError('Not more then two IPv4 WINS name-servers can be configured') diff --git a/src/migration-scripts/l2tp/2-to-3 b/src/migration-scripts/l2tp/2-to-3 index e24d1ffa9..bd0839e03 100755 --- a/src/migration-scripts/l2tp/2-to-3 +++ b/src/migration-scripts/l2tp/2-to-3 @@ -75,6 +75,34 @@ else: if config.exists(radius_base + ['server', server, 'req-limit']): config.delete(radius_base + ['server', server, 'req-limit']) + # Migrate IPv6 prefixes + ipv6_base = base + ['client-ipv6-pool'] + if config.exists(ipv6_base + ['prefix']): + prefix_old = config.return_values(ipv6_base + ['prefix']) + # delete old prefix CLI nodes + config.delete(ipv6_base + ['prefix']) + # create ned prefix tag node + config.set(ipv6_base + ['prefix']) + config.set_tag(ipv6_base + ['prefix']) + + for p in prefix_old: + prefix = p.split(',')[0] + mask = p.split(',')[1] + config.set(ipv6_base + ['prefix', prefix, 'mask'], value=mask) + + if config.exists(ipv6_base + ['delegate-prefix']): + prefix_old = config.return_values(ipv6_base + ['delegate-prefix']) + # delete old delegate prefix CLI nodes + config.delete(ipv6_base + ['delegate-prefix']) + # create ned delegation tag node + config.set(ipv6_base + ['delegate ']) + config.set_tag(ipv6_base + ['delegate ']) + + for p in prefix_old: + prefix = p.split(',')[0] + mask = p.split(',')[1] + config.set(ipv6_base + ['delegate', prefix, 'mask'], value=mask) + try: with open(file_name, 'w') as f: f.write(config.to_string()) |